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SUMMARY 


The constraint of requiring airplanes to have inherent aerodynamic 
stability can be removed by using active control systems. The resulting air- 
plane requires control system reliability approaching that of the basic 
airframe. Redundant control actuators can be used to achieve the required reli- 
ability, but create mechanization and operational problems. Of numerous 
candidate systems, tvo different approaches to solving the problems associated 
with redundant actuators appear the most likely to be used in advanced airplane 
control systems. 


INTRODUCTION 


Future civil aircraft will have to take advantage of all possible gains 
in aerodynamic efficiency and weight reduction to be economically viable. It 
has been shown in previous studies by Boeing and others that gains in aero- 
dynamic efficiency and reduction in airplane weight can be achieved by placing 
the center of gravity aft of the longitudinal maneuver point. The resulting 
unstable airplane must be augmented through the flight control system to pro- 
vide acceptable handling qualities. If the stability of the airplane is 
critical, such that loss of the augmentation would result in loss of the air- 
plane, the control system reliability must approach that of the basic airframe. 
To meet this level of reliability, special consideration must be given to the 
control system design. Such considerations Include design simplification, 
derating of components, elimination of electrical connectors, and physical iso- 
lation of electrical wiring and hydraulic power. Even then redundancy is 
usually required to obtain satisfactory reliability from the complex hydraulic 
actuators and electronic control systems used in airplane flight controls. 

Use of redundancy to achieve reliability has always been an accepted 
engineering design technique. However, the advantages of redundancy are not 
easily realized in control systems because of signal channel interaction, 
failvure effects, performance degradation after failures, null shift with chan- 
nel switching and failure detection problems. If force voted multiple hydraulic 
actuators are used to drive a single load, actuator load sharing also becomes 
a concern. Methods of insuring proper load sharing can reduce load reaction 
stiffness, cause poor resolution, and may lead to dynamic instability if not 
properly designed and built. Monitoring used to effect the orderly shutdown 
of failed elements may cause inadvertent shutdown of good elements. All of 
these problem areas with respect to redundant control systems and actuators 
require careful consideration in control system design and mechanization. 
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REDUNDANCY REQUIRENEHTS 


Redundancy requireinients for flight control actuation systems can be 
divided into two areas, the requirement for flutter free control surfaces and 
the maintenance of critical control surface operation. 

The need to minimize airplane weight reduces the penuissible use of 
control, surface mass balance as a means of preventing control stxrface flutter. 
If mass balance is not used, the svirface must be restrained by the surface 
control system. The Federal Aviation Regulations, Voltane III, Part 25, 
paragraph 25*629, ”Flutter, deformation, and fail-safe criteria,” requires 
that an airplane be free from flutter after any single failure in the flight 
control system, plus any other "reasonably probable” single failure or mal- 
function affecting flutter. Hydraulic system failures are classified as 
"reasonably probable” by the PAA. Therefore, when airplane design dictates 
that control surfaces be restrained by the surface power actuators to avoid 
the mass balance weight penalty, these requirements dictate a need for at 
least two surface power actuators and three hydraulic systems for each surface. 

Independent of considerations for suppression of surface flutter, surface 
power actuator redundancy is also Influenced by the need to maintain control 
of the airplane flight path. The Federal Aviation Regulations, Volume III, 
Part 25, paragraph 25* 671* requires, in part, that the airplane must be cap- 
able of safe flight and landing after any single failure, excluding Jamming, 
in combination with any probable hydraulic or electrical system failure. 

One form of redundancy to assure continuance of control function would 
be to use multiple aerodynamic surface segments, independently controlled, 
in each airplane axis. If actuator redundancy were not required for pre- 
vention of flutter, each surface could be controlled by a single actxiator. 
Degraded, but safe, operation would be possible if one or more surface seg- 
ments became inoperable. This feature is used in some current airplanes. 
However, if the airplane design is such that a limited number of flight 
control surfaces are available or if all control surfaces in an axis are 
needed for flight path control, each surface must remain controllable after 
certain dual control system failures. 

Advanced supersonic airplanes will probably be limited in use of control 
surface redundancy, paarticularly in the longitudinal axis, because of the need 
to attain maximum aerodynamic efficiency. The need for minimum weight in an 
advanced supersonic transport airplane will also limit the consideration of 
mass balance for flutter prevention. These two factors are sufficient to set 
the minimum red\mdancy level for surface power actuators and show the need 
for redvindancy in flight control actuation systems. 
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ACTUAIOR REDUNDANCY MECHANIZATION 


There axe two distinct categories of mechanization applied to redundant 
actuator channels used in aircraft control systems. One type is the parallel 
active configvtration, and the other type is the active/ standby configuration. 
The principle differences between the two types are as follows: 

a. Since the parallel active technique implies that the control channels 
are working together at some point in the control system, the failure of one 
of the control channels can cause an output performance change. For an 
active/standby system, the control elements operate independently and failures 
of the active control element causes transfer to a correctly operating standby 
channel with no performance degradation* 

b. With a parallel active system all of the control channels are working 
at the same time and the fail\u*e of one channel is compensated for by the 
remaining correctly operating channels (to varying degrees) . It is not neces- 
sary to rapidly switch the failed channel off. With an active/standby 
mechanization, rapid transfer between control elements is essentied (with the 
actual required transfer time being determined by the particular application). 

There are three options available in mechanization of parallel active 
systems. The control channels can be brought together and the actuator out- 
puts summed in the following ways: 

a. Force voting 

b . Velocity summing 

c . Position summing 

Force voting is the most common technique used in mechanizing parallel 
active systems. By force voting several actuators on a common output, an 
output representing the mid value of all input commands can be achieved. Many 
examples of this type of system exist. The Boeing 7^7 pitch and roll autopilot 
actuators (autoland option), and the GE 680J F-4 roll and yaw secondary actu- 
ators are typical. One problem with this type of system that does not exist 
with other types is the force fight that can occur between acttiator channels 
when channels differ in input comnand or actuator characteristics. 

Velocity siaaming is an alternate parallel active meclumization which does 
not incur the force fight problems of the force voted systems. Probably the 
best example of this method is the electromechanical secondairy actuator devel- 
oped by LTV for the 680J F-U pitch axis. This mechanization uses servo motors 
summed through differential gear boxes. Net output velocity is the sum of 
the individual motor velocities and the force output is the sum of the 
individual force outputs of the servo motors. 

Position stumning systems have no actuator force fight. However, since 
the individual actuators are summed by differential linkage, a channel failure 
or actuator shutdown will reduce total output stroke capability. Each indi- 
vidual actuator must have a larger stroke than the minimum allowable output 
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stroke to accommodate channel failures, 'Phis characteristic restricts the 
application of the position summing technique to systems that require only 
small output displacement. It has heen used in dual systems for series 
actuation. Examples are the Boeing 737 dual yaw damper and the dual channel 
series actuators on the Grumman F-lU. Mechanization becomes difficult when 
more than two actuators are summed because of linkage complexity. 


ACTUATOR REDUNDANCY IMPLEMENTATION FACTORS 


There are several factors that must be considered when redundant 
actuators are used, The most significant are those that affect normsil opera- 
tion, operation after failures, said cause interface problems. These are 
outlined below. 

Failure InsensitlYity 


Failure insensitivity is the ability of a redundant control system to 
experience failures and automatically continue operation with an acceptable 
transient. If the system performs a critical function, operation must be 
maintained in the presence of one or more failures; i.e., be fail operational. 
However, a fail operational system does not insure minimum control system 
trsoisients. The criticality of transients has an impact on the detail design 
of the system. All four methods of redundancy mechanization can be fail 
operational. However, the number of channels required and failure 
characterisitcs vary as discussed below: 

a. Fail-operational capability csn be achieved in parallel active 
systems by majority voting or averaging three or more active actuators. 

With three active channels operation continues after the first failure. With 
four channels operation continues after two failures. In voting systems the 
first failed channel must be disconnected before the second channel fails 
for the system to remain operational. In the force voted systems the failed 
channel is automatically overpowered by the remaining channels and the mag- 
nitude of the failure transient can be insignificant. Displacement and 
velocity sianming provide an averaged output but have inherent failure tran- 
sients and steady state null offset after failure. The magnitude of the 
treuisients is dependent upon the system closed loop response. 

b. With active/standby systems a failure detection device must assess 
that the active channel has failed, automatically disconnect it, and switch 
to a good channel. The failure transient is dependent upon the failure 
detection level, the switching time and the tracking of the standby channel. 

Failure Detection 


Detection and indication of failures during operation must be provided 
so that failed channels or actuators can be disengaged to preserve the integ- 
rity of the system. The fail:ire detection system must be designed to detect 
all types of failures; hardover, passive, and oscillatory and slowovers or 
ramps which could produce an vuisafe situation. 
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The ability of the failure detection system to sort out legitimate 
failures from apparent failures which might occur due to adverse tolerances 
has an equivalence in reliability. If the failure detection systen trips a 
channel off inadvertently due to an apparent failure , the equivalent 
mean-time-between»*failure (MTBP) for the system may be significantly affected. 

Failures in parallel active systems may be sensed by in-line monitoring 
of actiiator characteristics or by cross channel monitoring between active 
actuators. A method of reducing the number of redundant actuators is to add 
a model of a working channel and use it for cross channel monitoring. While 
this extends the system fail operational capability with one less working 
channel, its effectiveness depends on how well the model matches the actual 
hardware. In certain applications, where actuators are large and where weight 
is critical, the model approach may provide a way to minimize the overall 
weight. 

In active/standby systems each channel must be individually monitored for 
failure detection. Each control channel is usually duplicated or modeled to 
provide the comparison required to detect failure of the active channel. 

Load Sharing 

Load sharing is a measure of the ability of multiple actuators with 
identicGd inputs to work together in positioning a common output. Load sharing 
is a problem peculiar to force voted actuators since, obviously, there is no 
force fighting in an active/ standby system when only one system controls at a 
time, or in position summed and rate summed systems where forces of individual 
actuators are additive. 

Ideally, it is desirable that the load be divided equally among redundant 
actuators to eliminate any force fighting. However, tracking errors arise due 
to tolerance buildup in each actuator servo loop and actuator installation 
that tend to make each actuator seek a \jnique position even though the input 
commands are identical . With the actuators tied to a common output all posi- 
tion commands cannot be satisfied and force fight occurs between actuators. 

To minimize the force fighting in force voted actuator configurations and 
assure acceptable sharing of the load, four methods are commonly used; 

a. Acc\irate tolerance control of the feedback loop of the actuator. 

A mechanical actuator can be mechanized with good tolerance control because 
of the manufacturing accuracies that are possible and the unchanging nature 
of the mechanical linkages. 

An electrically controlled actuator has command path elements such 
as summing amplifiers, demodulators, and feedback transducers which can change 
characteristics with time, temperature, and power. It is generally accepted 
that the tolerances associated with an electronically controlled actuator are 
significantly greater than for a mechanically controlled actuator. 
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b. Conpliance between channels. In some applications the structural 
compliance between actuators allows sufficient individual actuator position 
difference to reduce force fight through the normal position feedback loop, 

c. Low force gain actuators. Low pressure gain servovalves can be used 
to reduce the force fight resulting from expected valve commeuad differences 
to an acceptable level. In some applications a feedback path consisting of 
deflections of the actuators' reaction structure has been sufficient to pro- 
vide the actuator force gain reduction* and reduced force fight. Another way 
to reduce actuator force gain is to use actuator pressure as a feedback 
command. However, there is a limit to the amount of compliance that can be 
tolerated without reducing the overall actuator stiffness below the minimum 
allowable level. Reducing actuator force gain (stiffness) has been used 
successfully where the inputs are reasonably matched* such as a set of sur- 
face power actxiators signalled by a common mechanical command, or in secondary 
actuators where the output load is small. 

d. Equalization to average load. For cases where the actuators are 
required to operate into large aerodynamic loads and have \ancontrolled input 
mismatch* any pressure feedback system requires modification to be useful. 

The individual actuator load must be compared to the average load. Computation 
of the average load and the individual difference from average requires cross 
channel comparison. This method does not degrade actuator stiffness but adds 
complexity auid introduces the possibility of cross chaunnel failures. 

Input Mismatch 

Differences in commeuids (input mismatch) due to tolerances in an 
electrical control system, from sensor to actuator, can be quite high* as 
much as a quarter of full scale command* \inless some design precautions are 
taken to prevent such buildup. It should be noted that differences in com- 
mands generated by actuator loop tolerances are an order of magnitude less 
theua those generated by computational elements in the upstream portions of 
the system. The various methods of redundant actuator mechanization deal 
with the input mismatch problem as itemized below, 

a. Force Voting Systems. In force voted systems the output is the mid 
value of all input commands. The force fight that occurs due to input com- 
mand mismatch can be reduced by the same methods used to instire load sharing. 

In some applications the only possible means of controlling command differ- 
ences may be the use of electronic signal conditioning to reduce the input 
mismatch. 

b, Velocity Stunming Systems, Velocity summed actuators allow the 
individual channels to cancel command differences by differentially sxunming 
rates. 


c. Position Summing Systems, Position summed actuators give a single 
output which is the average of the input commands. 
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d. Active/Standby Systems. Usually the active actuator is commanded 
by a single electronic channel and mismatch is of no concern during operation. 
Mismatches between the commands of the active and the standby channel are of 
concern* however, and must be minimized to avoid large surface transients 
upon switching from active to standby actuators. 


SECONDARY ACTUATORS 


Surface actuator input signals can be either electrical or mechanical. 

A dual load path mechanical signal to three power actuators can satisfy all 
reliability req.uirements. However, the control signals for critical stability 
augmentation or fly-by-wire systems will be electrical. 

The power associated with the electronic signals for fly-by-wire command, 
autopilot, and stability augmentation systems must be kept at low levels as 
a matter of good design. These low level signals are required to command sur- 
face actuators that operate at high power levels. To transform the electrical 
commands to surface displacements controlled by large hydratilic power actuators 
requires several stages of amplification. Review of current redundant flight 
control actuation systems shows an almost universal use of small electrically 
signaled hydraulic actuators as one of the stages of amplification. These 
small actuators are termed secondary actuators. 

It is advantageous to treat the command path and computation and power 
actuation errors independently by inserting a synchronizing stage between the 
two functions. The synchronizing stage provides a single valued command and 
may be an electronic voter or a mechanical output of a secondary actuator 
arrangement. Some of the advantages of synchronizing are; 

a. When surface power actuators are isolated from the upstream command 
differences, the task of providing adequate power actuator load shsuring 
becomes easier, permitting a simpler and more reliable mechanization, 

b. When secondary actuators are used to provide the synchronizing stage 
they do not eliminate the problems of redundant actuators but the magnitude 
of the problems are less severe because the secondary actuators operate at 
significantly lower force levels than the surface power actuators. 


SYSTEM SELECTION 


Four types of actuator redundancy have been discussed. It has also been 
shown that prevailing control system designs use secondary act;iators as a 
stage of signal amplification and as a means of command path synchronization. 
Surface power actuators are usually force voted mechanical input actuators. 
The system differences are in the redundancy mechanization of the secondary 
actuators. Active/standby and force voted systems predominate by a large 
margin with force voted systems the most common. 
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Although the use of velocity summing solves the problem of force fight 
there are disadvantages vhich msike this type of system a questionable candi- 
date for future use in critical flight control applications on civil aircraft. 
The complex gearing could make it difficult to prove that jam-type failures 
would be extremely remote, as required by FAA regulations. Also, for the same 
output force the electromechanical actuator is larger and heavier than an 
equivalent elect rohydraulic actuator. One advantage would be the availability 
of four independent actuator signals in an airplane with only three hydraulic 
signals. Another advantage for military aircraft is the reduced vulnerability 
to loss of hydraulic systems. 

Position summed systems are difficult to mechanize for more than two 
redundant channels because of the complex linkage required. In addition the 
loss of rate and travel capability after failure and the inherent output 
position transient that occurs with failure are also disadvantages. 

The active/standby and the force voted systems have advantages and 
disadvantages that must be considered in conjiinction with the specific air- 
plane and control system application. Tha most significant differences 
between the two types of systems are; 

Normal Performance 

The single channel operation of the active/standby system can give 
optimian performance. In the force voted system residual actuator force fight 
can affect output resolution and reduce actuator stiffness, 

i 

Failiire Transients 


Force voted systems can be mechanized to give very small failure 
transients. The active/standby system must trade failure detection levels 
and nuisance trips against the allowable failiire transient. 

Performance After Failure 


The active standby systems preserve normal performance in the failure 
sequence from the active channel to the standby channel and on to the second 
standby channel. The force voted system may suffer a performance degradation 
as it fails down. This degradation can be exhibited as reduced resolution 
capability and force output. 

Failure Detection 


The active/standby concept requires immediate failtire detection to be 
safe following failures. The force voted concept does not require immediate 
detection of a failure to be safe. Failure detection is only required to 
enable a failed channel to be shut down before another failure occurs. 

Switching 

Each standby channel must be continually monitored to assure that it is 
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capable of control if the active channel fails. Further, somewhere in the 
system a device like a switch or blocking valve is required to operate with- 
out prior knowledge of its condition to provide a successful transfer to a 
standby channel. Force voted systems are comprised of only active channels 
continually monitoring each other and require no inmediate switching to be 
safe. 


CONCLUDING REMARKS 


Advanced technology airplanes will require redundant flight control 
actuators to achieve reliability because operational stability augmentation 
system will be essential for safe flight and acceptable airplane handling 
qxialities. 

Surface restraint to meet the fail safe requirements for flutter 
prevention and minimum safe controllability requirements will dictate ,the 
minimum redundancy levels for control surface power actuators. Airplanes 
with redundauit flight control surfaces may have dual surface power actuators 
if a third hydraulic system is provided. Control surfaces that are critical 
for control fxmctions will require at least three actuators per sxirface in 
order to meet FAA requirements and provide an adequate level of safety. 

Reliability requirements for control systems that amplify autopilot, 
stability aiigmentation, and pilot commands and provide inputs to the control 
surface power actuators are determined by the need to remain operational in 
spite of control channel malftmctions . Actuation systems with fault cor- 
rective capability that will meet the system reliability requirements and 
satisfy FAA regulations require at least four active channels or three mon- 
itored channels. Svirface power actuators could be mechanized with this level 
of redundancy but it has been found to be more efficient to utilize small 
secondary actuators to provide a reliable single valued mechanical input to 
three surface power actuators of reduced complexity. 

Based on a review and examination of current redundant actuation systems, 
two concepts were found to be representative of secondary actuator mechani- 
zation which meet advanced civil airplane flight control system requirements. 
The two actuator configurations are a foixr channel force voted system and 
a three channel active /standby system. Both of these systems should be 
considered since they reflect different design philosophies. 

Redundant control systems have operating and failure characteristics that 
are affected by overall control system and airplane design. Redundant actua- 
tors should be studied in conjunction with pilot and airplane to understand 
pilot reaction and airplane response to variations in control system charac- 
teristics and failures. 
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